DE69934894T2 - Method and device for optionally adjusting access to application features - Google Patents

Method and device for optionally adjusting access to application features Download PDF

Info

Publication number
DE69934894T2
DE69934894T2 DE69934894T DE69934894T DE69934894T2 DE 69934894 T2 DE69934894 T2 DE 69934894T2 DE 69934894 T DE69934894 T DE 69934894T DE 69934894 T DE69934894 T DE 69934894T DE 69934894 T2 DE69934894 T2 DE 69934894T2
Authority
DE
Germany
Prior art keywords
attribute
attributes
value
user
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
DE69934894T
Other languages
German (de)
Other versions
DE69934894D1 (en
Inventor
G. Shawn Lake Haiwatha BARGER
N. James Oradell GERSHFIELD
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Development Co LP
Original Assignee
Electronic Data Systems LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US118621 priority Critical
Priority to US09/118,621 priority patent/US6430549B1/en
Application filed by Electronic Data Systems LLC filed Critical Electronic Data Systems LLC
Priority to PCT/US1999/016029 priority patent/WO2000004435A1/en
Application granted granted Critical
Publication of DE69934894D1 publication Critical patent/DE69934894D1/en
Publication of DE69934894T2 publication Critical patent/DE69934894T2/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • Y10S707/99932Access augmentation or optimizing

Description

  • TECHNICAL FIELD OF THE INVENTION
  • The The present invention relates generally to setting the Access of a user to computer systems and in particular the possibility, the limits for the access of each of several users to the features of a or multiple applications running on a computer system can, selective and flexible.
  • BACKGROUND OF THE INVENTION
  • In an environment such as a shared-use service bureau Resources in which many employees and / or customers access have a computer system running numerous applications can, it is often desirable the possibility to have access by certain users or classes of Users to one or more features of these applications restrict. Here, the term "features" includes all of the near infinite possible Application functions such as accessing data in database tables, creating, viewing and printing reports and sending and / or receiving e-mail messages.
  • Currently, this flexibility in limiting user access is not given. In terms of restricting access to data, a method currently used by Oracle® Corporation in its database programs is to limit the ability of a user to access particular data tables at the database level. Oracle® Corporation accomplishes this by allowing "assignments" to users who do not restrict access specifically to the data itself, but to the tables that contain the data.
  • The need for more flexibility in restricting access to application features, including the data access feature limited by the Oracle® tasks, can be demonstrated with a simple example. The following is a hypothetical data table with clients' Confidential Financial Transactions A, B, and C shown on the morning of June 15, 1998, where WDRWL indicates a withdrawal, DPST a deposit, and PYMNT a payment.
  • Table 1
    Figure 00020001
  • Around a report on only customer A's confidential transactions for the month June is an access to the data in lines 1, 4 and 6 needed but not on lines 2, 3, 5 and 7. Because these data are highly sensitive is a limitation of access only to the for relevant data (ie the report on the Transactions of the customer A) highly desirable.
  • In addition, can to create a report on past transactions Customer A's application may have multiple generate various types of reports, including reports to predict the future Behavior in addition to show the past behavior. Depending on who with this Task is assigned, it may not be desirable to access to allow both types of reporting features. Also it can undesirable be to allow the printing of the generated reports.
  • WHERE 95/22792 describes a method and a device for control access to a database. According to WO 95/22792 the access is controlled on data in a database by adding a part of the database is configured so that only some of the data in the database are provided with a security tag. A memory structure with User IDs and associated User tags is provided, which is an association between usernames and represents user tags. Access to the stored data will be achieved by determining whether the data belonging to the security tags on the Memory structure and the assignment to the Be user name of the user who tries to access the data. By providing this indirect assignment of user names to security tags Is it possible, the security policy by modifying the intermediate data in the Memory structure to change without changing the data in the database itself.
  • To An aspect of the present invention is as claimed in claim 1 A method of setting a user's access to at least a feature in a computer system that has at least one application To run and a database maintained, provided one Application each having at least one feature.
  • To Another aspect of the present invention is a computer system provided according to claim 10.
  • embodiments The present invention provides the ability to access Application features to a specific user or group users of a computer system are available to specify.
  • embodiments of the present invention provide more flexibility than they currently given, with regard to the possibility of accessing a Restrict user to data in table-oriented databases.
  • For a better one understanding of the present invention, together with other and further objectives, is to the following description in conjunction with the appended Drawings and their scope is defined in the appended claims.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • 1 Fig. 12 shows a block diagram of an exemplary system according to the present invention.
  • 2 Figure 12 is a block diagram of the user attribute system grouping method of the present invention.
  • 3 shows a flowchart for an embodiment of the method according to the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • user attributes
  • 1 Fig. 12 shows a block diagram of an exemplary system according to the present invention. On a computer 5 runs database software 8th that maintains data tables by the tables 11 . 13 and 15 are represented. Numerous applications represented by the ABC, DEF and GHI applications also run on the computer 5 and some provide facilities for retrieving and manipulating the data in the tables 11 . 13 and 15 ready. Each of the users X, Y and Z of the system has terminals represented by the computers 18 . 21 respectively. 24 , Access to the computer 5 , According to the present invention, one or more "attributes" are associated with users X, Y, and Z. The attributes each have a name designating an application feature to which access is determined (for example, the ability to access data in the database ), and a value defining the access restrictions, as described in detail below: Unless otherwise indicated in the context, the term "attributes" is used herein to refer to a name-value pair.
  • Attributes are stored in a table by the database software 8th and define the respective abilities of the users to execute the applications ABC, DEF and GHI. Two useful attributes are, for example, DATA_SCOPE and USER_LEVEL. DATA_SCOPE defines the data to which the user refers using the above Table 1 as an example, has the possible values A, B, C, or ALL, which corresponds to the data associated with customers A, B, C, and all three customers, respectively. USER_LEVEL is a broad attribute that generally defines the level of access to the particular features of a particular application that a user chooses to run. USER_LEVEL preferably has the values ADMIN, REGULAR, and RESTRICTED, with ADMIN being the least restrictive and allowing access to all available features of a particular application, such as retrieving reports, e-mail, and printing. RESTRICTED restricts users to the simplest application features, such as generating reports. Users with REGULAR authority can access fewer features than users with ADMIN authority, but more than RESTTRICTED users. Each application can interpret the USER_LEVEL attribute based on the different features it provides. It will be appreciated that several narrow attributes may be used instead of the attribute USER_LEVEL, for example, for generating or printing reports.
  • The both attributes DATA_SCOPE and USER_LEVEL and their respective values are natural only examples. The expert will lay down the unlimited potential recognize attributes that provide access to application characteristics limit.
  • grouping
  • Attributes may be assigned to individual users or, in a preferred embodiment, a grouping scheme may be implemented, as exemplified in FIG 2 is shown. Attributes such as DATA_SCOPE and USER_LEVEL are indicated by squares, "attribute groups" are indicated by triangles, and "association groups" are indicated by circles. Attribute groups consist only of attributes and their values, while assignment groups consist of attribute groups and / or other assignment groups, but not individual attributes. In a preferred embodiment of the grouping scheme, an attribute group is each limited to attributes for a single application, which provides the ability to map different attributes and values for different applications. In an alternative embodiment, attribute groups may be set up independently of particular applications so that a group may contain attributes for all applications. While this provides less flexibility in determining access to features of individual applications, such a system would be easier to implement.
  • In the preferred embodiment, a table APPS containing at least one APP_CODE column defines the list of valid applications that may have associated attributes. In 1 The valid APP_CODE values in this example are ABC, DEF, and GHI. Other columns in the APPS table would contain the particular information needed by each of the applications. For example, in a menu system that provides icons from which the user can select an application to execute, an APP_NAME column would contain the string used as the visible label of the icon associated with the application in the APP_CODE column.
  • A Attribute group defines a group of zero or more Attributes for a specific application identified by an APP_CODE is. An attribute group of zero attributes could be used to indicate that for the application in question assigns default values for the attributes should be. Typically, the default values are those with the most Restrictions. Alternatively, one could Attribute group of null attributes used to indicate that there are no features for The application identified by APP_CODE gives access to to be set except for the ability to run the application.
  • The grouping example in 2 shows a more complex user structure than previously associated with 1 and Table 1 described example. The attribute groups 106 . 115 . 130 . 145 and 148 in 2 have the following mapped attributes:
  • Table 2
    Figure 00060001
  • at this preferred embodiment becomes the application to which the respective attribute group refers at the time the group is set up, and in the example discussed it is in the table above 2 in the second column.
  • In 2 has an attribute group associated with a user 106 the attributes DATA_SCOPE 107 and USER_LEVEL 108 with the values ALL or ADMIN on, as shown in Table 2. According to the attributes, the user should be granted ADMIN access to the GHI application and will be given access to the respective data of customers A, B and C when the application in question is executed. An attribute group assigned to a user 130 has three attributes DATA_SCOPE 133 , DATA_SCOPE 136 and USER_LEVEL 139 with the values A, B or REGULAR. According to the attributes, this user can access data concerning the customers A or B and can access the features of the application ABC which are set for a user with the status REGULAR. An attribute group assigned to a user 145 has limited access - RESTRICTED - to the application ABC and gets access to the data concerning customers A and B. An attribute group assigned to a user 148 has limited access - RESTRICTED - to the application DEF and gets access to the data concerning customers B and C.
  • One or more attribute groups can be assigned to assignment groups. In 2 can be the assignment group 142 for example, from the attribute groups 145 and 148 and contain all the attribute name and attribute value pairs listed in the last two columns of Table 3 below:
  • Table 3
    Figure 00070001
  • Association groups can also be assigned to other assignment groups. This is in 2 through the assignment group 103 shown all the attributes in the mapping group 142 as well as all attributes in the attribute groups 130 and 115 contains. The assignment group 100 at the top of the figure consists of the assignment group 103 and the attribute group 106 , The assignment group 100 therefore contains all the attributes in each of the five attribute groups 130 . 145 . 148 . 115 and 106 ,
  • The attribute grouping system is particularly suitable for assigning employees attributes for different areas of responsibility. The attribute groups 115 . 130 . 145 and 148 For example, employees can be assigned at lower or middle level while the assignment groups 100 . 103 and 142 and the attribute group 106 To be assigned to executives whose job it is to oversee the work of lower-level staff and, with regard to the attribute group 106 to run their own applications.
  • at In this preferred grouping system, the assignments of Attributes about attribute groups, assignment groups, and users in a table ATTRIBUTES managed. The table ATTRIBUTES has three Columns: ASSIGNEE (assignment receiver), ATTRIBUTE_NAME (attribute name) and ATTRIBUTE_VALUE (attribute value). ASSIGNEE may be the name of a Attribute group, the name of a mapping group, or a user be. ATTRIBUTE_NAME is the name of the attribute (for example, DATA_SCOPE). ATTRIBUTE_VALUE is a specific value for the specified attribute (for Example ALL [All]).
  • The ATTRIBUTES table is managed with seven simple commands. These example commands are given below as the Oracle® procedures for use in an Oracle® database environment. It will be apparent to those skilled in the art that analog commands can be derived for other environments. In the descriptions below, the parameters are in single quotes and literal strings are in double quotes.
  • Command No. 1
    • attr_utils.create_group ('group_name', 'group_type', 'app_code')
    • 'group_name': Name of the group
    • 'group_type': 'ATTRIBUTE' or 'ASSIGNEE'
    • 'app_code': If 'group_type' is "ATTRIBUTE", this field is required; otherwise it is ignored.
  • This procedure creates a group of the specified type. It terminates with an error if the parameter 'group_name' already exists as a group or an Oracle ® user.
  • According to the procedure, the values for 'group_name' and 'group_type' are converted to uppercase letters. Then a record with the following column values is inserted into the ATTRIBUTES table:
    Set ASSIGNEE = 'group_name'
    Set ATTRIBUTE_NAME = "ASSIGNEE_TYPE"
    Set ATTRIBUTE_VALUE _ "ATTRIBUTE_GROUP" or
    "ASSIGNEE_GROUP" based on the value of 'group_type'.
  • Also, if the group_type parameter is ATTRIBUTE, then another record with the following column values is added to the ATTRIBUTES table:
    Set ASSIGNEE = 'group_name'
    Set ATTRIBUTE_NAME = "APP_CODE"
    Set ATTRIBUTE_VALUE = 'app_code'.
  • Command No. 2
    • attr_utils.assign_group ('assignee', 'group_name')
    • 'assignee': user or assignment group, to which the 'group_name' is assigned.
    • 'group_name': group that the grantee is assigned.
  • These Procedure assigns a group to another group or user to. An error is displayed if the 'assignee' is not a mapping group or a user exists. An error is also displayed when the 'group_name' does not exist.
  • This procedure first converts the values for assignee and group_name to uppercase. Then a record with the following column values is inserted into the ATTRIBUTES table:
    Set ASSIGNEE = 'assignee'
    Set ATTRIBUTE_NAME = "ASSIGNED_GROUP"
    Set ATTRIBUTE_VALUE = 'group_name'.
  • Command No. 3
    • attr_utils.assign_attribute ('assignee', 'attribute_name', 'attribute_value')
    • 'assignee': Name of the attribute group. This must be an attribute group.
    • 'attribute_name': The name of the attribute.
    • 'attribute value': The value of the specified Attribute.
  • These Procedure assigns an attribute to the 'assignee' to the specified value. An error is displayed if the allocation recipient is not exists as an attribute group or if the parameter 'attribute_name' is reserved.
  • This procedure first converts the values for assignee and attribute_name to uppercase. Then a record with the following column values is inserted into the ATTRIBUTES table:
    Set ASSIGNEE = 'assignee'
    Set ATTRIBUTE_NAME = 'attribute_name'
    Set ATTRIBUTE_VALUE = 'attribute_value'.
  • Command No. 4
    • attr_utils.drop_group ('group_name')
    • 'group_name': The name of the group or the user, along with any references to that group or deleted this user becomes.
  • These Procedure removes a group or user along with everyone Referencing the group or user. An error is displayed if the parameter 'group_name' does not exist.
  • This procedure first capitalizes the value of 'group_name' and then deletes all records in the ATTRIBUTES table where the value in the ASSIGNEE column matches the 'group_name'. In addition, all records in the ATTRIBUTES table that meet the following two criteria are deleted:
    • a. The value in the ATTRIBUTE_NAME column is "ASSIGNED_GROUP".
    • b. The value in the ATTRIBUTE_VALUE column is the same as the group_name.
  • Command No. 5
    • attr_utils.rescind_group ('assignee', 'group_name')
    • 'assignee': the user or The mapping group whose 'group_name' is being revoked.
    • 'group_name': the group that from the allocation recipient is revoked.
  • These Procedure revokes the specified 'group_name' from the 'assignee'. An error is displayed if the 'group_name' or the 'assignee' does not exist.
  • This procedure first converts 'assignee' and 'group_name' to uppercase and then deletes all records in the ATTRIBUTES table that meet the following three criteria:
    • a. The value in the ATTRIBUTE_NAME column is "ASSIGNED_GROUP".
    • b. The value in the ATTRIBUTE_VALUE column is the same as the group_name.
    • c. The value in the ASSIGNEE column is the same as the assignee.
  • Command No. 6
    • attr_utils.rescind_attribute ('assignee', 'attribute_name')
    • 'assignee': Name of the attribute group. This must be an attribute group.
    • 'attribute_name': The name of the attribute.
  • These Procedure revokes the specified 'attribute_name' from the 'assignee'. An error is displayed when the Attribute name or assignment recipient does not exist or if the parameter 'attribute name 'reserved is.
  • This procedure first capitalizes 'assignee' and 'attribute_name' and then deletes all records in the ATTRIBUTES table that meet the following two criteria:
    • a. The value in the ASSIGNEE column is the same as the assignee.
    • b. The value in the ATTRIBUTE_NAME column is the same as the attribute_name.
  • Command No. 7
    • attr_utils.update_attribute ('assignee', 'attribute_name', 'attribute_value')
    • 'assignee': Name of the attribute group. This must be an attribute group.
    • 'attribute_name': The name of the attribute.
    • 'attribute_value': The new value of the specified attribute.
  • These Procedure updates the specified 'attribute_value' for the specified 'assignee' and 'attribute_name'. An error will displayed if the attribute name or the assignment recipient is not exist or if the parameter 'attribute_name' is reserved.
  • This procedure first capitalizes 'assignee' and 'attribute_name' and then updates the ATTRIBUTES table by setting the ATTRIBUTE_VALUE column to 'attribute_value' for all records that meet the following criteria:
    • a. The value in the ASSIGNEE column is the same as the assignee.
    • b. The value in the ATTRIBUTE_NAME column is the same as the attribute_name.
  • With The commands above are managed by a table ATTRIBUTES. As shown in commands 1 and 2, the preferred embodiment uses multiple reserved attribute names in the ATTRIBUTES table, to denote certain information used in the system become. An attribute name "APP_CODE" becomes automatic assigned to an attribute group to identify the application, which is connected to the group concerned. An attribute name "ASSIGNED_GROUP" is used to assign attributes to attribute groups, to attribute groups, and Assign assignment groups to assignment groups and attribute groups and assign assignment groups to users. An attribute name "ASSIGNEE_TYPE" is used to indicate whether a group is an attribute group or an association group is. The procedures validate all ATTRIBUTE_NAME parameters to verify that they are not reserved are, and provide an error message when attempting to to use reserved attribute names.
  • As an example, this is the assignment group 142 in 2 belonging part of the table ATTRIBUTES shown in Table 4 below:
  • Table 4
    Figure 00120001
  • Figure 00130001
  • at the alternative embodiment of the invention discussed above the attribute groups are not limited to specific applications, the create_group procedure does not require any input of an app_code parameter, and in the table ATTRIBUTES, no APP_CODE attributes are managed. The general Access to applications could however with an additional Table for directly mapping the APP_CODES to the users anyway to be controlled. Is a user a particular APP_CODE not assigned, would be the corresponding application is not available to the user
  • Parent-child hierarchy
  • The ability to assign multiple attribute groups and / or mapping groups to a single mapping group often results in overlapping, repeating, and even conflicting values being assigned to a group or user for the same attribute. For example, the assignment group contains 100 that up in 2 4, all the attributes in the figure and therefore, as shown in Table 4 above, for the same application DEF comprise different values B, C and ALL for the attribute DATA_SCOPE as well as different values REGULAR and RESTRICTED for the attribute USER_LEVEL. For this reason, in a preferred embodiment attribute hierarchy rules are defined in which a "parent value" is assigned for each attribute value, so that, for example, the value B for the attribute DATA_SCOPE is assigned to the root value ALL In practice, if the associated attributes of a User and both a root value and a descendent value for the same attribute and application are present, the root is inherited and the child is discarded, and repeating values are discarded.
  • The Parent-child assignments are managed in a table ATTRIBUTE LEVELS, the three columns has: ATTRIBUTE_NAME (attribute name), CHILD_VALUE (descendant value) and PARENT_VALUE (root value). ATTRIBUTE_NAME is the name of one Attribute (for example, DATA_SCOPE). CHILD_VALUE is an actual one Value of the attribute (for example C). PARENT_VALUE is the value of which the actual Value represents a subset (for example, ALL). In the case, that the actual Attribute value the highest in the hierarchy, for example, ALL, the assigned root value is NULL.
  • The ATTRIBUTE_LEVELS table is managed with four simple commands. These example commands are given below as the Oracle® procedures for use in an Oracle® database environment. It will be apparent to those skilled in the art that analog commands will be derived for other database environments can be. In the descriptions below, the parameters are in single quotes and literal strings are in double quotes.
  • Command No. 1
    • attr_utils.add_attr_level ('attribute_name', 'child_value', 'parent_value')
    • 'attribute_name': The name of the attribute.
    • 'child_value': The descendant value for the specified 'attribute_name'.
    • parent_value ': The root of the specified 'child_value' for the specified 'attribute_name'.
  • These Procedure adds a new attribute level for add the specified parameters. The parent_value can be NULL if the child_value has the highest privilege level for the specified attribute_name is displayed if the root value is not null or does not exist.
  • This procedure first capitalizes the 'attribute_name' and then inserts a record with the following column values into the ATTRIBUTE LEVELS table:
    Set ATTRIBUTE_NAME = 'attribute_name'
    Set CHILD_VALUE = 'child_value'
    Set PARENT_VALUE = 'parent_value'.
  • Command No. 2
    • attr_utils.update_attr_level ('attribute_name', 'child_value', 'parent_value')
    • 'attribute_name': The name of the attribute.
    • 'child_value': The descendant value for the specified 'attribute_name'.
    • 'parent_value': the root of the specified derivative value for the specified attribute names.
  • These Procedure updates the root value for the specified parameters. The 'parent_value' can be 'NULL' if the 'child_value' is the highest privilege level for the specified 'attribute_name'. An error is displayed if the root value is not null or does not exist and if the combination of attribute name and descendant value Does not exist.
  • This procedure first capitalizes the attribute_name and then updates the ATTRIBUTE_LEVELS table by setting the value in the PARENT_VALUE column to parent_value for all records that meet the following two criteria:
    • a. The value in the ATTRIBUTE_NAME column is the same as the attribute_name.
    • b. The value in the CHILD_VALUE column is the same as the 'child_value'.
  • Command No. 3
    • attr_utils.delete_attr_levels ('attribute_name', 'child_value')
    • 'attribute_name': The name of the attribute.
    • 'child_value': The descendant value for the specified 'attribute_name'.
  • These Clears procedure the attribute level and all the derivative attribute levels for the specified parameters. An error is displayed when the combination Does not exist.
  • This procedure first capitalizes the 'attribute_name' and then deletes all records in the ATTRIBUTE_LEVELS table that are 'descendants' of the specified pair of 'attribute_name' and 'child_value', for example, the following SQL statement could be used to to do these first two steps:
    DELETE ATTRIBUTES LEVELS
    WHERE (ATTRIBUTE_NAME, CHILD_VALUE) IN
    (SELECT ATTRIBUTE_NAME, CHILD_VALUE
    FROM ATTRIBUTE_LEVELS
    START WITH PARENT_VALUE = P CHILD_VALUE
    AND ATTRIBUTE_NAME = UPPER (P ATTRIBUTE_NAME)
    CONNECT BY PARENT_VALUE = PRIOR CHILD VALUE
    AND ATTRIBUTE_NAME = PRIOR ATTRIBUTE_NAME).
  • This procedure deletes all records in the ATTRIBUTE_LEVELS table that meet the following two criteria:
    • a. The value in the ATTRIBUTE_NAME column is the same as the attribute_name.
    • b. The value in the CHILD_VALUE column is the same as the 'child_value'.
  • Command No. 4
    • attr_utils.delete_all_levels ('attribute_name')
    • 'attribute_name': The name of the attribute.
  • These Clears procedure all attribute levels for the specified 'attribute_name'. An error will displayed if the 'attribute_name' does not exist.
  • These Procedure first capitalizes the attribute_name 'and then deletes it all records in the table ATTRIBUTE_LEVELS, where the value in the column ATTRIBUTE_NAME matches 'attribute_name'.
  • With The above commands are managed by a table ATTRIBUTE_LEVELS. As an example, a table ATTRIBUTE_LEVELS for those discussed above Example attributes shown in Table 5 below:
  • Table 5
    Figure 00160001
  • To Table 5 lists all the associations of the DATA_SCOPE attribute with the Values A, B, or C are discarded if a DATA_SCOPE of ALL is the same User for the same application is assigned. In the same way are assignments lower USER_LEVEL values in favor of the highest assigned value discarded.
  • If assigned an attribute value in the ATTRIBUTES table, in the table ATTRIBUTE_LEVELS but not defined, it is preferred treated as if it were in the table ATTRIBUTE_LEVELS with a NULL defines the root value, and no other value as the wise assigned value as its root value.
  • A Further minimization can be achieved by taking into account That will set a complete set of mapped values to lower Level by the value of the higher Level can be replaced. For example, if the DATA_SCOPE values A, B and C are assigned the system responds with the value ALL. This minimization should only be made if the complete set of values is lower Level in fact represents the same like the value of the higher Level, because it is possible that the value of the higher Level represents more as the sum of the values at a lower level.
  • How the user attribute system works
  • In the context of the following description of the exemplary use of the user attribute system of the present invention, FIG 3 directed. In accordance with a preferred embodiment of the invention, access to the applications executing in a database environment is controlled by an initial graphical user interface (IGUI). Examples for IGUIs are, for example, Internet homepages and home pages of local networks.
  • However, before getting access to the applications, a user generally logs in to a computer system, which in box 201 is shown, wherein the computer system recognizes the user, if the registration is carried out correctly. In box 204 The IGUI calls the applications available to the user. In the preferred embodiment, the IGUI does this by accessing the ATTRIBUTES table (see arrow 205 ), which contains the group assignments for the user. As described above, in the preferred embodiment, the group mappings include attribute group mappings, which in turn contain the specification of the available applications. Rather than searching the entire ATTRIBUTES table, which can be quite extensive, an Oracle® database system can create "views" of the results of frequently used searches (for example, the attributes for a particular user) that are likely to be reused over and over again In the alternative embodiment, where the attributes are not limited to particular applications, the applications available to a particular user may be stored in and retrieved from a separate table.
  • At arrow 205 The IGUI also accesses the APPS valid application table, which contains an APP_CODE column, to tell the IGUI which string to box the user 207 is displayed when the IGUI displays the available applications to the user. In box 210 the user selects one of the available applications. In box 213 the IGUI accesses the table ATTRIBUTES (see arrow 214 ) and retrieves the user attributes for the selected application. In an Oracle ® database system, an Oracle ® view can be used to retrieve the attributes. In addition, the IGUI can access the ATTRIBUTE_LEVELS table to reduce the number of attributes.
  • At arrow 215 The IGUI passes the relevant attributes to the application, and in box 216 the application is executed with the application enforcing the attributes. If the user attempts to exceed the access limits defined by the attributes, an error or warning message may be displayed.
  • For the expert it can be seen that in an alternative embodiment an application can retrieve the attributes directly without support from an IGUI, and the attributes can prevail.
  • views
  • As previously mentioned, Oracle® views can be used in the present invention to retrieve and organize records from tables. The following is a list of twelve views that have proven useful in the implementation of the invention. In each case an explanation of the view and an SQL example are given.
  • View No. 1
  • V_ATTRIBUTE_APP_CODES
  • These As a result, View returns a list of all the individual application codes, that are set up in the user attribute system. This view leads one SELECT function with the DISTINCT clause for records, where ATTRIBUTE_NAME is the reserved ATTRIBUTE_NAME of the 'APP_CODE'.
  • SQL example:
    • CREATE OR REPLACE VIEW V_ATTRIBUTE_APP_CODES AS
    • SELECT DISTINCT ASSIGNEE,
    • ATTRIBUTE_VALUE APP_CODE
    • FROM ATTRIBUTES
    • WHERE ATTRIBUTE_NAME = 'APP CODE';
  • View No. 2
  • V_ATTRIBUTE_GROUPS_ATTR
  • As a result, this view returns a list of all individual attribute groups. This view introduces a Function SELECT with the DISTINCT clause for records, where ATTRIBUTE_NAME is the reserved ATTRIBUTE_NAME of the 'AS-SIGNEE_TYPE' and the ATTRIBUTE_VALUE is the 'ATTRIBUTE_GROUP'.
  • SQL example:
    • CREATE OR REPLACE VIEW V_ATTRIBUTE_GROUPS_ATTR
    • AS SELECT DISTINCT ASSIGNEE GROUP NAME
    • FROM ATTRIBUTES
    • WHERE ATTRIBUTE_NAME = 'ASSIGNEE_TYPE'
    • AND ATTRIBUTE_VALUE = 'ATTRIBUTE_GROUP';
  • View No. 3
  • V_ATTRIBUTE_GROUPS_ASSIGN
  • These As a result, View returns a list of all the individual assignment groups. This view introduces a SELECT function with the DISTINCT clause for records, where ATTRIBUTE_NAME the reserved ATTRIBUTE_NAME of the 'ASSIGNEE_TYPE' and the ATTRIBUTE_VALUE is the 'ASSIGNEE_GROUP'.
  • SQL example:
    • CREATE OR REPLACE VIEW
    • V_ATTRIBUTE_GROUPS_ASSIGN AS
    • SELECT DISTINCT ASSIGNEE GROUP_NAME
    • FROM ATTRIBUTES
    • WHERE ATTRIBUTE_NAME = 'ASSIGNEE_TYPE'
    • AND ATTRIBUTE_VALUE = 'ASSIGNEE_GROUP;
  • View no. 4
  • V_ATTRIBUTE_USERS
  • These As a result, View returns a list of all individual attribute users. This view leads a SELECT function with the DISTINCT clause for records, where the ASSIGNEE same as found in the Oracle Data Dictionary ALL USERS table USERNAME is.
  • SQL example:
    • CREATE OR REPLACE VIEW V_ATTRIBUTE_USERS AS
    • SELECT DISTINCT ASSIGNEE USERID
    • FROM ATTRIBUTES,
    • ALL_USERS
    • WHERE ASSIGNEE = USERNAME;
  • View No. 5
  • V_ATTRIBUTE_GROUPS_ALL
  • These As a result, View returns a list of all individual groups in the system. This includes both attribute and association groups. This view leads a SELECT function with the DISTINCT clause for records, where the ASSIGNEE is not an attribute user.
  • SQL example:
    • CREATE OR REPLACE VIEW V_ATTRIBUTE_GROUPS_ALL AS
    • SELECT DISTINCT ASSIGNEE GROUP_NAME
    • FROM ATTRIBUTES,
    • V_ATTRIBUTE_USERS
    • WHERE ASSIGNEE = USERID (+)
    • AND USERID IS NULL;
  • View No. 6
  • V_USER_GROUPS
  • These As a result, View returns a list of all the groups that currently exist associated with Oracle associated users. The results include groups that are directly associated with the user, as well as Groups that are indirectly assigned to the user, that is groups, the ASSOCIATION GROUPS associated with the user are assigned are. This view leads a pedigree query using the CONNECT clause BY through.
  • SQL example:
    • CREATE OR REPLACE VIEW V_USER_GROUPS AS
    • SELECT ATTRIBUTE_NAME,
    • ATTRIBUTE_VALUE
    • FROM ATTRIBUTES
    • WHERE ATTRIBUTE_NAME! = 'ASSIGNEE_TYPE'
    • START WITH ASSIGNEE = USER
    • CONNECT BY ASSIGNEE = PRIOR ATTRIBUTE_VALUE
    • AND ATTRIBUTE_NAME = 'ASSIGNED_GROUP';
  • View No. 7
  • V_USER_ATTR_APPS
  • These As a result, View returns a list of all the attributes associated with the currently associated with Oracle associated users with the corresponding APP_CODE. This view combines the list the groups assigned to the user (V_USER_GROUPS), the table ATTRIBUTES and the list of ATTRIBUTE_GROUPS with the corresponding ones APP_CODE values (V_ATTRIBUTE_APP_CODES).
  • SQL example:
    • CREATE OR REPLACE VIEW V_USER_ATTR_APPS AS
    • SELECT ATTR.ATTRIBUTE_NAME,
    • ATTR.ATTRIBUTE_VALUE,
    • APPS.APP_CODE
    • FROM V_USER_GROUPS GROUPS,
    • ATTRIBUTES ATTR,
    • V_ATTRIBUTE_APP_CODES APPS
    • WHERE GROUPS.ATTRIBUTE_VALUE = ATTR.ASSIGNEE
    • AND ATTR.ASSIGNEE = APPS.ASSIGNEE
    • AND ATTR.ATTRIBUTE_NAME NOT IN
    • ('ASSIGNED_GROUP', 'APP_CODE', 'ASSIGNEE_TYPE');
  • View no. 8
  • V_USER_ATTR_HIGHEST_VALUES
  • These As a result, View returns a list of ATTRIBUTE_VALUES highest Level for the corresponding ATTRIBUTE_NAMES. This view can be duplicate Posts so that the view described below is V_USER ATTRIBUTES retrieves a list of these individual values. This view passes the APP_CODE, ATTRIBUTE_NAME, and ATTRIBUTE_VALUE for each attribute that is the current one User is assigned to the function ATTR_UTILS.HIGHEST_VALUE. A function is the same as a procedure, except that it is part of a Request executed can be and returns a value as a result.
  • Here As a result, the function returns the highest root value to the user currently assigned. A description of this function is after the SQL example for given this view.
  • SQL example:
    • CREATE OR REPLACE VIEW
    • V_USER_ATTR_HIGHEST_VALUES_AS
    • SELECT APP_CODE,
    • ATTRIBUTE_NAME,
    • SUBSTR (ATTR_UTILS.HIGHEST_VALUE (APP_CODE,
    • ATTRIBUTE_NAME, ATTRIBUTE_VALUE), 1, 30)
    • ATTRIBUTE_VALUE
    • FROM V_USER_ATTR_APPS;
  • The ATTR_UTILS.HIGHEST_VALUE function requires three inputs: the APP_CODE, the ATTRIBUTE_NAME, and the ATTRIBUTE_VALUE. First, the function loads an internal attribute value table with all attribute values associated with the specified user, APP_CODE, and ATTRIBUTE_NAME. To do this, the function can use one of the existing views (that is, V_USER_ATTR_VALUE_LEVELS). The function then uses the current attribute value and finds all the master records for that value. The function uses an SQL query that looks like this:
    SELECT PARENT_VALUE
    FROM ATTRIBUTE_LEVELS
    WHERE ATTRIBUTE_NAME = P_ATTRIBUTE_NAME
    START WITH CHILD_VALUE = P_ATTRIBUTE_VALUE
    CONNECT BY CHILD_VALUE = PRIOR PARENT_VALUE
  • ORDER BY LEVEL;
  • After that The function compares each individual root value with the records in the attribute value table to determine if one of the others associated attribute values is a master record, that is, a parent, grandfather etc. of the current attribute value. If so, as a result the Attribute value at a higher level delivered. Otherwise, the current attribute value will be the result delivered.
  • View No. 9
  • V_ATTR_VALUE_LEVELS
  • These As a result, View returns a list of ATTRIBUTE_NAMES, which associated ATTRIBUTE_VALUES and the corresponding level of value. The highest level of an ATTRIBUTE_VALUE for example has an ATTRIBUTE_LEVEL of 1, while the descendant of the value is 2. This view introduces a pedigree query using the clause CONNECT BY by.
  • SQL example:
    • CREATE OR REPLACE VIEW V_ATTR_VALUE_LEVELS AS
    • SELECT ATTRIBUTE_NAME,
    • CHILD_VALUE ATTRIBUTE_VALUE,
    • LEVEL VALUE_LEVEL
    • FROM ATTRIBUTE_LEVELS
    • START WITH PARENT_VALUE IS NULL
    • CONNECT BY PARENT_VALUE = PRIOR CHILD_VALUE
    • AND ATTRIBUTE_NAME = PRIOR ATTRIBUTE_NAME;
  • View No. 10
  • V_USER_ATTR_VALUE LEVELS
  • These As a result, View returns a list of all the users assigned to the user Attributes and their corresponding level. This view combines the list of attributes currently associated with Oracle Users are assigned (V_USER_ATTR_APPS) and the list of attributes and their corresponding levels (V_ATTR_VALUE LEVELS).
  • SQL example:
    • CREATE OR REPLACE VIEW V_USER_ATTR_VALUE_LEVELS
    • AS SELECT APP_CODE,
    • ATTR.ATTRIBUTE_NAME,
    • ATTR.ATTRIBUTE_VALUE,
    • NVL (VALUE LEVEL, 1) VALUE_LEVEL
    • FROM V_USER_ATTR APPS ATTR,
    • V_ATTR_VALUE_LEVELS LVL
    • WHERE
    • ATTR.ATTRIBUTE_NAME = LVL.ATTRIBUTE_NAME (+)
    • AND
    • ATTR.ATTRIBUTE_VALUE = LVL.ATTRIBUTE_VALUE (+);
  • View No. 11
  • V_USER_APP_CODES
  • These As a result, View returns a list of all the individual APP_CODES, which are assigned to the current user. This view introduces a pedigree query using the clause CONNECT BY by.
  • SQL example:
    • CREATE OR REPLACE VIEW V_USER_APP_CODES AS
    • SELECT DISTINCT ATTR.ATTRIBUTE_VALUE APP_CODE
    • FROM (SELECT ATTRIBUTE_NAME,
    • ATTRIBUTE_VALUE
    • FROM ATTRIBUTES
    • START WITH ASSIGNEE = USER
    • CONNECT BY ASSIGNEE = PRIOR ATTRIBUTE_VALUE
    • AND ATTRIBUTE_NAME = 'ASSIGNED GROUP ') GROUPS,
    • ATTRIBUTES ATTR
    • WHERE GROUPS.ATTRIBUTE_VALUE = ATTR.ASSIGNEE
    • AND ATTR.ATTRIBUTE_NAME = 'APP_CODE';
  • View No. 12
  • V_USER_ATTRIBUTES
  • These As a result, View returns a list of all the attributes associated with the Users are assigned, along with only the ATTRIBUTE_VALUES the highest Level for the corresponding ATTRIBUTE_NAMES. This view introduces a Function SELECT DISTINCT to the V_USER_ATTR_HIGHEST_VALUES. (V_USER_ATTR_VALUE_LEVELS).
  • SQL example:
    • CREATE OR REPLACE VIEW V_USER_ATTRIBUTES AS
    • SELECT DISTINCT
    • APP_CODE,
    • ATTRIBUTE_NAME,
    • ATTRIBUTE_VALUE
    • FROM V_USER_ATTR_HIGHEST_VALUES;
  • To ensure in an Oracle ® environment, the data to be managed properly in the tables ATTRIBUTES and ATTRIBUTE_LEVELS are preferably only used Oracle ® procedures running to perform the management of user attributes. This can be guaranteed by restricting access to the various objects, such as tables, views, procedures and functions, in the user attribute system. The ATTRIBUTES and ATTRIBUTE_LEVELS tables and all views should be assigned read-only permission. The execute permission for the administration Oracle® procedures used in these tables should only be assigned to the user attributes for the administrator (s). This ensures that unauthorized users can not manipulate the attributes or attribute levels.

Claims (18)

  1. Method for determining the access of a user to at least one feature that characterizes an application function in a computer system that execute at least one application and a database ( 8th ), wherein an application each has at least one feature, comprising the steps of: associating at least two attributes to the user, one of which relates to the ability to access data and the ability to handle retrieved data, storing the at least two Attributes in a first table ( 11 ) in the database ( 8th ), Executing an application in the computer system, extracting from the first table (two or more of said at least two attributes associated with the user, 11 ), one of which concerns the ability to access data and the ability to handle retrieved data, and enforcing the obtained attributes, thereby improving the user's access to data and its ability to handle retrieved data in accordance with the attributes obtained is determined.
  2. The method of claim 1, wherein more than one of at least two features the ability to access data.
  3. The method of claim 1, further comprising the steps of: prior to the performing step, assigning a parent value to each actual value of the at least two attributes, thereby creating one or more parent-descendant relationships, and storing the one or more parent-descendant value relationships in a second table ( 15 ) in the database ( 8th ), wherein before the enforcement step, the method comprises the following additional steps: obtaining the one or more stem-descendent-value relationships from the second table ( 15 ), and determining whether one of the obtained attributes can be discarded according to the obtained root-descendent-value relationships.
  4. The method of claim 1, wherein the obtained attributes the executed Application available be put.
  5. The method of claim 4, with an additional Step to before the execution step a user the choice to execute one or more applications according to its assigned to give at least two attributes.
  6. The method of claim 4, wherein more than one of at least two features the ability to access data.
  7. The method of claim 4 with the following additional Steps before the execution step: Assign a parent value to each actual Value of at least two attributes, and Saving root-descendent-value relationships in a second table in the database, the process before the enforcement step comprises the following additional steps: Win the stem-descendent-value relationships from the second table and Determine if one of the won Attributes discarded according to the stem-progeny relationships obtained can be.
  8. The method of claim 1, wherein at least one attribute of a group ( 106 ), the group ( 106 ) is assigned to at least one user, the group ( 106 ) in a table ( 15 ) in the database ( 8th ), an application in the computer system ( 5 ), the group associated with the user ( 106 ) from the data table ( 15 ), and the attributes obtained are enforced, whereby the access of the user to the at least one feature of the application corresponding to the at least one attribute, that of the data table ( 15 ) group ( 106 ) is assigned.
  9. The method of claim 8, wherein the group associated at least two attributes only one access to the application establish.
  10. Computer system ( 5 ), comprising: means for executing an application having at least one feature designating an application function, means for maintaining a database ( 8th ), means for assigning at least two attributes to a user, one of which relates to the ability to access data and one capable of handling accessed data, means for storing the at least two attributes in a first table ( 11 ) in the database ( 8th ) means for obtaining at least two attributes from the first table associated with the user ( 11 ) and means for enforcing the obtained attributes whereby the user's access to data and his ability to handle grabbed data is determined according to the at least two attributes associated with the user.
  11. The system of claim 10, wherein more than one of at least two features the ability to access data.
  12. The system of claim 10, further comprising: means for assigning a parent value to a respective current value of the at least two attributes, thereby creating one or more parent-child relationships, means for storing the one or more parent-child values; Relationships in a second table ( 15 ) in the database ( 8th ) means for obtaining the one or more stem-descendent-value relationships from the second table ( 15 ) and means for determining whether one of the obtained attributes can be discarded according to the parent-descendent-value relationships.
  13. The system of claim 10, comprising: An institution, to make the acquired attributes of the application available put.
  14. A system according to claim 13, including means for the user the choice to execute one or more applications according to its assigned to give at least two attributes.
  15. The system of claim 13, wherein more than one of at least two features the ability to access data.
  16. The system of claim 13, comprising: An institution for assigning a parent value to a respective current value the at least two attributes, a device for storing of stem-descendent-value relationships in a second table in the database, An institution for obtaining the stem-derivative-value relationships from the second table and a device for determining whether one of the attributes obtained matches the stem-descendent-value relationships obtained can be discarded.
  17. The computer system of claim 10, further comprising: means for assigning at least two attributes to a group ( 106 ), one of which concerns the ability to access data and one that is able to handle accessed data, means for assigning the group ( 106 ) to a user, means for storing the group ( 106 ) in a table ( 15 ) in the database ( 8th ), means for retrieving the group associated with the user from the data table, and means for enforcing the obtained attributes, whereby the user's access to data and his ability to handle retrieved data correspond to the at least two attributes of the data table ( 15 ) group ( 106 ) are assigned.
  18. The system of claim 17, wherein the ones associated with the group at least two attributes only one access to the application establish.
DE69934894T 1998-07-17 1999-07-15 Method and device for optionally adjusting access to application features Expired - Lifetime DE69934894T2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US118621 1998-07-17
US09/118,621 US6430549B1 (en) 1998-07-17 1998-07-17 System and method for selectivety defining access to application features
PCT/US1999/016029 WO2000004435A1 (en) 1998-07-17 1999-07-15 System and method for selectively defining access to application features

Publications (2)

Publication Number Publication Date
DE69934894D1 DE69934894D1 (en) 2007-03-08
DE69934894T2 true DE69934894T2 (en) 2007-11-15

Family

ID=22379742

Family Applications (1)

Application Number Title Priority Date Filing Date
DE69934894T Expired - Lifetime DE69934894T2 (en) 1998-07-17 1999-07-15 Method and device for optionally adjusting access to application features

Country Status (20)

Country Link
US (2) US6430549B1 (en)
EP (1) EP1108238B1 (en)
JP (1) JP4571746B2 (en)
KR (3) KR100628426B1 (en)
CN (1) CN1318163B (en)
AT (1) AT352071T (en)
AU (1) AU757061B2 (en)
BG (1) BG64962B1 (en)
BR (1) BR9912119A (en)
CA (1) CA2336987A1 (en)
DE (1) DE69934894T2 (en)
EA (1) EA003618B1 (en)
ES (1) ES2280123T3 (en)
HR (1) HRP20010029B1 (en)
HU (1) HU0301138A2 (en)
IL (1) IL140906D0 (en)
NZ (1) NZ509240A (en)
PL (1) PL345904A1 (en)
WO (1) WO2000004435A1 (en)
YU (1) YU2701A (en)

Families Citing this family (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6430549B1 (en) * 1998-07-17 2002-08-06 Electronic Data Systems Corporation System and method for selectivety defining access to application features
US6988138B1 (en) * 1999-06-30 2006-01-17 Blackboard Inc. Internet-based education support system and methods
US7908602B2 (en) 1999-06-30 2011-03-15 Blackboard Inc. Internet-based education support system, method and medium providing security attributes in modular, extensible components
US6876991B1 (en) 1999-11-08 2005-04-05 Collaborative Decision Platforms, Llc. System, method and computer program product for a collaborative decision platform
JP4718662B2 (en) * 2000-03-24 2011-07-06 株式会社東芝 Computer system
US7362868B2 (en) 2000-10-20 2008-04-22 Eruces, Inc. Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
US20030021417A1 (en) 2000-10-20 2003-01-30 Ognjen Vasic Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
WO2002041150A1 (en) * 2000-11-16 2002-05-23 Dlj Long Term Investment Corporation System and method for application-level security
GB2383147B (en) * 2001-12-13 2005-04-06 Inventec Corp Method for integrating multiple web servers based on individual client authorisation
US7020653B2 (en) * 2002-11-06 2006-03-28 Oracle International Corporation Techniques for supporting application-specific access controls with a separate server
JP2004302516A (en) * 2003-03-28 2004-10-28 Ntt Docomo Inc Terminal device and program
US20040249674A1 (en) * 2003-05-06 2004-12-09 Eisenberg Floyd P. Personnel and process management system suitable for healthcare and other fields
US20050097343A1 (en) * 2003-10-31 2005-05-05 Michael Altenhofen Secure user-specific application versions
EP1560139A1 (en) * 2004-01-30 2005-08-03 Jaffe Associates LLC Computer-based system and method of designating content for presentation to a target entity
US9407963B2 (en) * 2004-02-27 2016-08-02 Yahoo! Inc. Method and system for managing digital content including streaming media
US8225221B2 (en) * 2004-04-12 2012-07-17 Microsoft Corporation Method and apparatus for constructing representations of objects and entities
US20060053035A1 (en) * 2004-09-09 2006-03-09 Eisenberg Floyd P Healthcare personnel management system
JP4643213B2 (en) * 2004-09-29 2011-03-02 シスメックス株式会社 Application program usage restriction method, measuring device user authentication system, authentication server, client device, and application program
US8099441B2 (en) 2004-09-30 2012-01-17 Millennium It (Usa) Inc. System and method for configurable trading system
US7567973B1 (en) * 2005-08-05 2009-07-28 Google Inc. Storing a sparse table using locality groups
US7668846B1 (en) 2005-08-05 2010-02-23 Google Inc. Data reconstruction from shared update log
US8677499B2 (en) 2005-12-29 2014-03-18 Nextlabs, Inc. Enforcing access control policies on servers in an information management system
US9942271B2 (en) 2005-12-29 2018-04-10 Nextlabs, Inc. Information management system with two or more interactive enforcement points
US8627490B2 (en) * 2005-12-29 2014-01-07 Nextlabs, Inc. Enforcing document control in an information management system
US8621549B2 (en) 2005-12-29 2013-12-31 Nextlabs, Inc. Enforcing control policies in an information management system
US7783686B2 (en) * 2006-06-16 2010-08-24 Microsoft Corporation Application program interface to manage media files
US8413110B2 (en) * 2007-04-25 2013-04-02 Kai C. Leung Automating applications in a multimedia framework
US8326211B1 (en) 2007-06-11 2012-12-04 Distance EDU Learning, Inc. Computer systems for capturing student performance
US9214090B2 (en) 2007-06-11 2015-12-15 Distance EDU Learning, Inc. Computer systems for capturing student performance
US20100017246A1 (en) * 2008-07-20 2010-01-21 Farrell Glenn H Software user interface for specification of project task dependencies and deadlines
US8484351B1 (en) 2008-10-08 2013-07-09 Google Inc. Associating application-specific methods with tables used for data storage
US9400879B2 (en) * 2008-11-05 2016-07-26 Xerox Corporation Method and system for providing authentication through aggregate analysis of behavioral and time patterns
US8255820B2 (en) 2009-06-09 2012-08-28 Skiff, Llc Electronic paper display device event tracking
CN102822825A (en) * 2010-03-31 2012-12-12 日本电气株式会社 Grouping device, computer-readable recording medium, and grouping method
US20170171292A1 (en) * 2015-12-11 2017-06-15 Quixey, Inc. Generating Software Application Search Results Using Shared Application Connections
US10657239B2 (en) 2017-05-25 2020-05-19 Oracle International Corporation Limiting access to application features in cloud applications
US20190278589A1 (en) * 2018-03-12 2019-09-12 Twilio Inc. Customizable cloud-based software platform

Family Cites Families (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2533495B2 (en) 1986-07-25 1996-09-11 株式会社日立製作所 Work scheduling method and apparatus
US5117353A (en) 1989-05-05 1992-05-26 Staff-Plus, Inc. System for use in a temporary help business
US5164897A (en) 1989-06-21 1992-11-17 Techpower, Inc. Automated method for selecting personnel matched to job criteria
US5459859A (en) 1991-06-18 1995-10-17 Mitsubishi Denki Kabushiki Kaisha Apparatus and system for providing information required for meeting with desired person while travelling
US5283731A (en) 1992-01-19 1994-02-01 Ec Corporation Computer-based classified ad system and method
GB9402935D0 (en) 1994-02-16 1994-04-06 British Telecomm A method for controlling access to a database
US5416694A (en) 1994-02-28 1995-05-16 Hughes Training, Inc. Computer-based data integration and management process for workforce planning and occupational readjustment
US5592375A (en) 1994-03-11 1997-01-07 Eagleview, Inc. Computer-assisted system for interactively brokering goods or services between buyers and sellers
US5754850A (en) 1994-05-11 1998-05-19 Realselect, Inc. Real-estate method and apparatus for searching for homes in a search pool for exact and close matches according to primary and non-primary selection criteria
JP2912840B2 (en) 1994-12-07 1999-06-28 富士通株式会社 File management system
US5956715A (en) * 1994-12-13 1999-09-21 Microsoft Corporation Method and system for controlling user access to a resource in a networked computing environment
US5799304A (en) 1995-01-03 1998-08-25 Intel Corporation Information evaluation
US5671409A (en) 1995-02-14 1997-09-23 Fatseas; Ted Computer-aided interactive career search system
GB2301912A (en) 1995-06-09 1996-12-18 Ibm Security for computer system resources
US5734828A (en) 1995-08-30 1998-03-31 Intel Corporation System for accessing/delivering on-line/information services via individualized environments using streamlined application sharing host and client services
US5758324A (en) 1995-12-15 1998-05-26 Hartman; Richard L. Resume storage and retrieval system
US5778181A (en) 1996-03-08 1998-07-07 Actv, Inc. Enhanced video programming system and method for incorporating and displaying retrieved integrated internet information segments
JPH09288609A (en) * 1996-04-23 1997-11-04 Mitsubishi Electric Corp Safety management system for file
US5799285A (en) 1996-06-07 1998-08-25 Klingman; Edwin E. Secure system for electronic selling
SE506853C2 (en) 1996-06-20 1998-02-16 Anonymity Prot In Sweden Ab Method for data processing
US6131120A (en) * 1997-10-24 2000-10-10 Directory Logic, Inc. Enterprise network management directory containing network addresses of users and devices providing access lists to routers and servers
US6085191A (en) * 1997-10-31 2000-07-04 Sun Microsystems, Inc. System and method for providing database access control in a secure distributed network
US6064656A (en) * 1997-10-31 2000-05-16 Sun Microsystems, Inc. Distributed system and method for controlling access control to network resources
US6202066B1 (en) * 1997-11-19 2001-03-13 The United States Of America As Represented By The Secretary Of Commerce Implementation of role/group permission association using object access type
JPH11161536A (en) * 1997-11-26 1999-06-18 Nec Inf Service Ltd User limiting device and method therefor
JP3937548B2 (en) * 1997-12-29 2007-06-27 カシオ計算機株式会社 Data access control device and program recording medium thereof
US6182142B1 (en) * 1998-07-10 2001-01-30 Encommerce, Inc. Distributed access management of information resources
US6430549B1 (en) * 1998-07-17 2002-08-06 Electronic Data Systems Corporation System and method for selectivety defining access to application features

Also Published As

Publication number Publication date
AU757061B2 (en) 2003-01-30
EA200100145A1 (en) 2001-06-25
US6430549B1 (en) 2002-08-06
KR20060076790A (en) 2006-07-04
EP1108238A1 (en) 2001-06-20
CN1318163B (en) 2010-06-09
BG64962B1 (en) 2006-10-31
KR100712569B1 (en) 2007-05-02
EA003618B1 (en) 2003-08-28
HU0301138A2 (en) 2003-08-28
ES2280123T3 (en) 2007-09-01
KR100628426B1 (en) 2006-09-28
HRP20010029A2 (en) 2001-12-31
AT352071T (en) 2007-02-15
JP4571746B2 (en) 2010-10-27
JP2002520727A (en) 2002-07-09
PL345904A1 (en) 2002-01-14
KR20060089753A (en) 2006-08-09
YU2701A (en) 2002-12-10
WO2000004435A1 (en) 2000-01-27
BR9912119A (en) 2001-10-16
US20030050913A1 (en) 2003-03-13
BG105150A (en) 2001-07-31
KR100692330B1 (en) 2007-03-14
EP1108238B1 (en) 2007-01-17
KR20010071933A (en) 2001-07-31
NZ509240A (en) 2002-11-26
HRP20010029B1 (en) 2008-04-30
IL140906D0 (en) 2002-02-10
DE69934894D1 (en) 2007-03-08
HRP20010029A9 (en) 2008-03-31
CN1318163A (en) 2001-10-17
CA2336987A1 (en) 2000-01-27
US6578029B2 (en) 2003-06-10
AU4997899A (en) 2000-02-07

Similar Documents

Publication Publication Date Title
US9870483B2 (en) Row-level security in a relational database management system
US9894071B2 (en) Visualization of access permission status
US9984240B2 (en) Visualization of access permission status
US9330134B2 (en) User identity mapping system and method of use
Downs et al. Issues in discretionary access control
CA2538506C (en) A directory system
AU676428B2 (en) A method and apparatus for controlling access to a database
US7031967B2 (en) Method and system for implementing policies, resources and privileges for using services in LDAP
US6539379B1 (en) Method and apparatus for implementing a corporate directory and service center
US6341290B1 (en) Method and system for automating the communication of business information
US7334197B2 (en) Display and management of data within hierarchies and polyarchies of information
US7447701B2 (en) Automatic configuration of attribute sets
RU2144207C1 (en) Method for production and servicing multiple versions of documents in data processing system library
US5787427A (en) Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies
US7398529B2 (en) Method for managing objects created in a directory service
US6766397B2 (en) Controlling access to a storage device
US6910041B2 (en) Authorization model for administration
US6006193A (en) Computer executable workflow control system
US6535879B1 (en) Access control via properties system
US7941785B2 (en) System and method for managing information objects
US5649194A (en) Unification of directory service with file system services
JP4197753B2 (en) Method and system for uniformly accessing multiple directory services
US7124192B2 (en) Role-permission model for security policy administration and enforcement
US7062563B1 (en) Method and system for implementing current user links
US7058648B1 (en) Hierarchy-based secured document repository

Legal Events

Date Code Title Description
8364 No opposition during term of opposition
8327 Change in the person/name/address of the patent owner

Owner name: HEWLETT-PACKARD DEVELOPMENT CO., L.P., HOUSTON, US

8328 Change in the person/name/address of the agent

Representative=s name: SCHOPPE, ZIMMERMANN, STOECKELER & ZINKLER, 82049 P